Bug 1268830 - Foreman role permission violations are not logging
Summary: Foreman role permission violations are not logging
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Users & Roles
Version: 6.1.2
Hardware: Unspecified
OS: Unspecified
medium
medium vote
Target Milestone: Unspecified
Assignee: Ivan Necas
QA Contact: Katello QA List
URL:
Whiteboard:
Depends On:
Blocks: 1122832
TreeView+ depends on / blocked
 
Reported: 2015-10-05 12:11 UTC by Peter Vreman
Modified: 2019-11-14 07:01 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-02-21 16:51:07 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Foreman Issue Tracker 18410 Normal Closed Foreman role permission violations are not logging 2020-05-13 14:45:13 UTC
Red Hat Product Errata RHBA-2016:1500 normal SHIPPED_LIVE Red Hat Satellite 6.2 Base Libraries 2016-07-27 12:24:38 UTC

Description Peter Vreman 2015-10-05 12:11:06 UTC
Description of problem:
Related to BZ1268829 with retrieving the Facts with only the Viewer role.
There is no audit / logging that the user has too less permissions to view the facts.
The logging even shows that the user is Authorized correctly.
That the response will be empty because there is no permission is not logged.
This makes troubleshooting complex what the cause is that no facts are returned.

$ curl -s -uviewer:xxxx https://li-lc-1578.hag.hilti.com/api/v2/users/viewer | jq .roles
[
  {
    "id": 19,
    "name": "Anonymous"
  },
  {
    "id": 16,
    "name": "Viewer"
  }
]

$ curl -s -uviewer:xxxx https://li-lc-1578.hag.hilti.com//api/v2/hosts/li-lc-1443.hag.hilti.com/facts?per_page=9999 | jq .
{
  "results": {},
  "sort": {
    "order": null,
    "by": null
  },
  "search": " host = li-lc-1443.hag.hilti.com",
  "per_page": 9999,
  "page": 1,
  "subtotal": 0,
  "total": 0
}

2015-10-05 11:46:07 [I] Processing by Api::V2::FactValuesController#index as JSON
2015-10-05 11:46:07 [I]   Parameters: {"per_page"=>"9999", "apiv"=>"v2", "host_id"=>"li-lc-1443.hag.hilti.com"}
2015-10-05 11:46:07 [I] Authorized user viewer(viewer )
2015-10-05 11:46:07 [I]   Rendered api/v2/fact_values/index.json.rabl within api/v2/layouts/index_layout (3.0ms)
2015-10-05 11:46:07 [I] Completed 200 OK in 341ms (Views: 27.8ms | ActiveRecord: 47.8ms)



Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Query facts using a User with only the Viewer role
2.
3.

Actual results:
No logging that the user has to less permissions

Expected results:
Logging that the user has no permissions to view the facts

Additional info:

Comment 2 Peter Vreman 2015-10-05 14:21:36 UTC
I just found that Foreman 1.9 looks like it has this feature with the granualary logging include 'permissions':

--------
Foreman debugging

Edit /etc/foreman/settings.yaml and either uncomment or add these lines:

:logging:
  :level: debug

And reload Foreman:

touch ~foreman/tmp/restart.txt

Enabling more specific logs

More types of log messages can be enabled from settings.yaml:

    app - web requests and all general application logs (default: true)
    ldap - high level LDAP queries (e.g. find users in group) and LDAP operations performed (default: false)
    permissions - evaluation of user roles, filters and permissions when loading pages (default: false)
    sql - SQL queries made through Rails ActiveRecord, only debug (default: true)

Uncomment or add a :loggers block to enable or disable loggers:

:loggers:
  :ldap:
    :enabled: true
--------

Comment 3 Bryan Kearney 2015-10-07 20:53:11 UTC
So 1.9 (which will be included in 6.2) will meet the requirements of this bug?

Comment 4 Peter Vreman 2015-10-08 06:47:28 UTC
Correct, based on the documentation of Foreman 1.9 it will meet the requirements of this bug.
This bug is only minor and needed when you have to troubleshoot a misconfiguration. Target 6.2 is ok for me.

Comment 6 jcallaha 2016-07-12 19:02:40 UTC
Failed QA in Satellite 6.2 Beta Snap 19.1

The logs still do not note when a user is trying to perform an operation they are not authorized to. For example, compare the two log entries below. The second entry does not explicitly log that the user is unauthorized to perform the action they are trying.

 1
---
[I] Started GET "/api/v2/hosts/5" for 10.10.58.113 at 2016-07-12 14:36:56 -0400
[I] Processing by Api::V2::HostsController#show as JSON
[I]   Parameters: {"apiv"=>"v2", "id"=>"5", :host=>{}}
[I] Authorized user admin(Admin User)

 2
---
[I] Started GET "/api/v2/hosts/5" for 10.10.58.113 at 2016-07-12 14:38:03 -0400
[I] Processing by Api::V2::HostsController#show as JSON
[I]   Parameters: {"apiv"=>"v2", "id"=>"5", :host=>{}}
[I] Authorized user viewer(viewer)
[I]   Rendered api/v2/errors/access_denied.json.rabl within api/v2/layouts/error_layout (0.9ms)
[I] Filter chain halted as :authorize rendered or redirected
[I] Completed 403 Forbidden in 58ms (Views: 4.6ms | ActiveRecord: 11.6ms)



/etc/foreman/settings.yaml

...
# Log settings for the current environment can be adjusted by adding them
# here. For example, if you want to increase the log level.
:logging:
  :level: debug

# Individual logging types can be toggled on/off here
:loggers:
  :ldap:
    :enabled: true
  :permissions:
    :enabled: true

Comment 7 orabin 2016-07-13 08:36:57 UTC
Hi,

In the output of the log from comment 6 the user without authorization gets: Completed 403 Forbidden which does indicate there is an authorization issue.

What I understand from the description of the bug is that the problem is only when everything in the log looks good (Completed 200 OK) but you don't see the full output because of permissions.
Does that case work with the settings change?

Comment 8 jcallaha 2016-07-15 12:41:13 UTC
The question may be more suited for the reporter. While 403's could potentially be considered to be showing when a user doesn't have permissions, I would personally like to have seen a more explicit log of a role permissions violation. The text returned by the API is a great example of such a message. Is it possible to have this response logged as well, like normal responses are?

{
  "error": {
    "message": "Access denied",
    "details": "Missing one of the required permissions: view_hosts"
  }
}

Comment 9 Peter Vreman 2016-07-15 13:24:15 UTC
As a UI User I expect a clean error message instead of the content being show. This should be all in the same UI web page and not a generic Forbidden page. Because as a User i might be continueing to click on the an other content to be shown.

Comment 11 errata-xmlrpc 2016-07-27 08:57:03 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1500

Comment 14 Ivan Necas 2017-02-07 12:11:25 UTC
Created redmine issue http://projects.theforeman.org/issues/18410 from this bug

Comment 15 Ivan Necas 2017-02-07 12:17:42 UTC
With permissions logging enabled, the denials were still not logged fully in API. In fix https://github.com/theforeman/foreman/pull/4257, I've added logging of reason for permissions denials for API + changed the level
in UI logging from debug to info, as I believe this information is on
different level than other debug info from permissions.

Comment 18 Zach Huntington-Meath 2017-08-16 18:56:49 UTC
I verified this on on snap-11.0 the steps I took were

1. Created a user with only viewer roles

2.

curl -s -u tester:changeme https://ibm-ls21-04.rhts.eng.bos.redhat.com/api/v2/hosts/li-lc-1443.hag.hilti.com/facts?per_page=9999 
{
  "total": 0,
  "subtotal": 0,
  "page": 1,
  "per_page": 9999,
  "search": " host = li-lc-1443.hag.hilti.com",
  "sort": {
    "by": null,
    "order": null
  },
  "results": {}
}


3. Then I checked in the production log and found:

2017-08-16 14:53:52 31a4650f [app] [I] Current user: tester (regular user)
2017-08-16 14:53:52 31a4650f [app] [I] Authorized user tester(testy )
2017-08-16 14:53:52 31a4650f [app] [I] Current user: tester (regular user)

Comment 19 pm-sat@redhat.com 2018-02-21 16:51:07 UTC
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA.
> 
> For information on the advisory, and where to find the updated files, follow the link below.
> 
> If the solution does not work for you, open a new bug report.
> 
> https://access.redhat.com/errata/RHSA-2018:0336


Note You need to log in before you can comment on or make changes to this bug.